Challenges in cross-border data privacy assessments
In the not too distant past, many organizations viewed the data that they kept on individuals as business property, to be used as the organization determined appropriate. Today, many of the world’s leading markets have adopted regulations that restrict how and when organizations may use those data, and afford the subject individuals rights to access and correct those data. Nations have even adopted regulations that impact how an organization may use such data outside of that nation. Consumer awareness of privacy matters has also risen, creating marketing risks to organizations that are not concerned with data privacy.
The proliferation of national and international data privacy requirements has not been uniform, however. Organizations doing business in multiple jurisdictions are subject to regulatory and cultural variances on what data are protected, how the data must be protected, and what rights are afforded to the enterprise, the regulators and the individual. At this stage, there is no clear model for organizations to embrace in dealing with cross-border privacy issues.
Compliance with national and regional privacy regulations is complex and evolving. Every problem on a local level is compounded exponentially when private information is collected, used or shared across jurisdictions. When a Canadian uses a credit card with a US travel agent to book a cruise from France to Greece on a Norwegian ship, private information will be distributed to numerous entities in multiple jurisdictions over systems that may reside in even more countries. What data are “private,” who has that data and what laws and regulations may apply is by no means clear. Privacy risks may flow from any of a number of sources, including system characteristics, technical architecture and program design.
Privacy impact assessments have been adopted by US, European and other governmental agencies to address their own privacy issues and requirements. Until a more universal best practice emerges, the use of privacy impact assessments processes adopted by these government agencies certainly seems an approach to privacy compliance that regulators would deem reasonable.
The goals of a privacy impact assessment include:
- Identifying the nature of the personally identifiable information associated with the business process
- Documenting the collection, use, disclosure and destruction of personally identifiable information
- Providing management with a tool to make informed policy, operations and system design decisions, based on an understanding of privacy risk and of the options available for mitigating that risk
- Ensuring that accountability for privacy issues is clearly incorporated in the project
- Creating a consistent format and structured process for analyzing both technical and legal compliance with relevant regulations
- Reducing revisions and retrofitting of information systems for privacy compliance
A critical predicate to a privacy impact assessment is the analysis of the data flows of personally identifiable information associated with cross-border operations and systems; identifying and tracking all personally identifiable information from the point of collection, through all use and distribution, to the point where the information is destroyed.
The wide variety of operations, systems and jurisdictions that may be involved preclude any detailed discussion here, but it is important to understand that the data flow must be identified and documented prior to conducting a privacy impact assessment. This will require documentation of the flow of personally identifiable information throughout the business process, which will require separate consideration of business process diagram documents and data flow tables.
If you would like to have more information on cross-border data privacy issues that may affect your business or would like us to assist you in carrying out a privacy impact assessment of your project or business do not hesitate to get in touch with us.